Study the Best PenTest Algorithm for Blind SQL Injection Attacks

  • Aldebaran Bayu Nugroho Telkom University
  • Satria Mandala Telkom University
Abstract views: 791 , PDF downloads: 511

Abstract

There are several types of SQL injection attacks. One of the most popular SQL Injection Attacks is Blind SQL. This attack is performed by exploiting a gap in the database server when executing query words. If the server responds to an invalid query, the attacker will then reverse the engineering part of the SQL query, which is obtained from the error message of the server. The process of generating a blind SQL injection attack is complicated. As a result, a Pentester often requires a long time to penetrate the database server. This research provides solutions to the problems above by developing the automation of a blind SQL injection attack. The method used in this research is to generate keywords, such as the database name and table name so that the attacker can retrieve information about the user name and password. This research also compares several search algorithms, such as linear search, binary search, and interpolation search for generating the keywords of the attack. Automation of the Blind SQL Injection was successfully developed, and the performance of the keywords generation for each algorithm was also successfully measured, i.e., 1.7852 seconds for Binary Search, 1.789 seconds for interpolation and 1.902 seconds for Linear Search.

Downloads

Download data is not yet available.

Author Biographies

Aldebaran Bayu Nugroho, Telkom University
School of Computing
Satria Mandala, Telkom University
School of Computing

References

Acar, Y., Stransky, C., Wermke, D., Weir, C., Mazurek, M. L., & Fahl, S. (2017). Developers Need Support, Too: A Survey of Security Advice for Software Developers. Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017, 22–26. https://doi.org/10.1109/SecDev.2017.17

Ali, A. B. M., Shakhatreh, A. Y. I., Abdullah, M. S., & Alostad, J. (2011). SQL-injection vulnerability scanning tool for automatic creation of SQL-injection attacks. In Procedia Computer Science (Vol. 3, pp. 453–458). https://doi.org/10.1016/j.procs.2010.12.076

Appelt, D., Nguyen, C. D., Briand, L. C., & Alshahwan, N. (2014). Automated testing for SQL injection vulnerabilities: an input mutation approach. Proceedings of the International Symposium on Software Testing and Analysis. https://doi.org/10.1145/2610384.2610403

Barbay, J., López-Ortiz, A., & Lu, T. (2006). Faster adaptive set intersections for text searching. In International Workshop on Experimental and Efficient Algorithms (pp. 146–157). Springer.

Graefe, G. (2006). B-tree indexes, interpolation search, and skew. In Proceedings of the 2nd international workshop on Data management on new hardware (p. 5). ACM.

Grossman, J. (2011). 10 important facts about website security and how they impact your enterprise. WhiteHat Security, 3.

Halfond, W. G. J., Choudhary, S. R., & Orso, A. (2009). Penetration testing with improved input vector identification. In Software Testing Verification and Validation, 2009. ICST’09. International Conference on (pp. 346–355).

Halfond, W. G., Viegas, J., & Orso, A. (2006). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (Vol. 1, pp. 13–15). IEEE.

Netcraft. (2018). Web Server Survey. Retrieved from https://news.netcraft.com/archives/2018/07/19/july-2018-web-server-survey.html#more-26592

OWASP, T. (10AD). Application Security Risks-2017, Open Web Application Security Project (OWASP).

Patil, S., Marathe, N., & Padiya, P. (2016). Design of efficient web vulnerability scanner. In Inventive Computation Technologies (ICICT), International Conference on (Vol. 2, pp. 1–6).

Rahim, R., Nurarif, S., Ramadhan, M., Aisyah, S., & Purba, W. (2017). Comparison Searching Process of Linear, Binary and Interpolation Algorithm. In Journal of Physics: Conference Series (Vol. 930, p. 12007). IOP Publishing.

Published
2020-06-10
How to Cite
Nugroho, A. B., & Mandala, S. (2020). Study the Best PenTest Algorithm for Blind SQL Injection Attacks. International Journal on Information and Communication Technology (IJoICT), 5(2), 1-10. https://doi.org/10.21108/IJOICT.2019.52.268
Section
Computer Networking and Communication